Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-38312

CVE-2021-38312: Redux Framework Auth Bypass Vulnerability

CVE-2021-38312 is an authorization bypass flaw in Redux Gutenberg Template Library & Redux Framework plugin that allows low-privileged users to install plugins and edit posts. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2021-38312 Overview

CVE-2021-38312 is an authorization bypass vulnerability affecting the Gutenberg Template Library & Redux Framework plugin for WordPress in versions 4.2.11 and earlier. This vulnerability allows low-privileged users, such as contributors, to install arbitrary plugins from the WordPress repository and edit arbitrary posts due to an incorrect authorization check in the REST API endpoints.

The vulnerability stems from improper permission validation in the REST API endpoints registered under the redux/v1/templates/ REST Route. The permissions_callback function in redux-templates/classes/class-api.php only checked for the edit_posts capability, which is granted to lower-privileged users including contributors, rather than requiring administrator-level permissions for sensitive operations like plugin installation.

Critical Impact

Over 1 million WordPress sites were potentially affected by this vulnerability, allowing low-privileged users to install arbitrary plugins and compromise site integrity.

Affected Products

  • Redux Gutenberg Template Library & Redux Framework versions <= 4.2.11
  • WordPress installations using the vulnerable Redux Framework plugin

Discovery Timeline

  • 2021-09-02 - CVE-2021-38312 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-38312

Vulnerability Analysis

This authorization bypass vulnerability (CWE-863: Incorrect Authorization, CWE-280: Improper Handling of Insufficient Permissions or Privileges) occurs because the plugin developers implemented an inadequate permission check for sensitive REST API functionality. The affected endpoints allow actions that should be restricted to administrators, but the implementation only verifies that the user has the edit_posts capability.

In WordPress, the edit_posts capability is granted to users with the Contributor role and above. Contributors are typically trusted to create draft posts but are not intended to have the ability to install plugins or modify other users' content. By leveraging this flaw, an attacker with contributor-level access can escalate their privileges to perform administrative actions.

The exploitation path is straightforward: an authenticated user with minimal privileges can send crafted REST API requests to the vulnerable endpoints under redux/v1/templates/ to install arbitrary plugins from the WordPress.org repository. This could be leveraged to install plugins with known vulnerabilities or backdoors, potentially leading to complete site compromise.

Root Cause

The root cause is the use of an insufficient permission check in the permissions_callback function within redux-templates/classes/class-api.php. The callback only validates that the requesting user has the edit_posts capability, which is available to low-privileged user roles like Contributors. For plugin installation and arbitrary post editing functionality, the check should have verified administrator-level capabilities such as install_plugins or manage_options.

Attack Vector

The attack vector is network-based and requires low-privilege authentication (contributor-level access). An attacker would:

  1. Obtain or create a contributor-level account on a vulnerable WordPress site
  2. Authenticate to the WordPress REST API
  3. Send crafted requests to the redux/v1/templates/ endpoints
  4. Install arbitrary plugins from the WordPress repository or edit posts belonging to other users

The vulnerability is exploitable without user interaction and has a high impact on integrity, as attackers can modify site content and install potentially malicious plugins that could lead to further compromise.

Detection Methods for CVE-2021-38312

Indicators of Compromise

  • Unexpected plugin installations on WordPress sites, particularly those not authorized by administrators
  • Unauthorized modifications to posts by contributor-level users
  • Suspicious REST API requests to /wp-json/redux/v1/templates/ endpoints from non-administrator accounts
  • Audit log entries showing plugin installations by users who should not have such permissions

Detection Strategies

  • Monitor WordPress audit logs for plugin installation events initiated by non-administrator users
  • Implement web application firewall (WAF) rules to detect and alert on REST API calls to redux/v1/templates/ endpoints from lower-privileged users
  • Review installed plugins regularly for unauthorized additions
  • Enable detailed logging of REST API requests and responses for forensic analysis

Monitoring Recommendations

  • Configure alerting for any plugin installation attempts by users without the install_plugins capability
  • Set up file integrity monitoring to detect newly installed plugins
  • Monitor for unusual REST API activity patterns, particularly POST requests to Redux Framework endpoints
  • Implement real-time security monitoring with SentinelOne Singularity to detect and respond to exploitation attempts

How to Mitigate CVE-2021-38312

Immediate Actions Required

  • Update the Gutenberg Template Library & Redux Framework plugin to a version newer than 4.2.11 immediately
  • Audit your WordPress site for any unauthorized plugin installations or post modifications
  • Review all user accounts with contributor-level access and above for signs of compromise
  • Consider temporarily disabling or removing the plugin if an immediate update is not possible

Patch Information

The vulnerability has been addressed in versions of the Redux Framework plugin released after version 4.2.11. Site administrators should update to the latest available version through the WordPress plugin repository. For detailed information about the vulnerability and affected versions, refer to the Wordfence Blog on Redux Vulnerabilities.

Workarounds

  • Remove or deactivate the Gutenberg Template Library & Redux Framework plugin until it can be updated
  • Restrict contributor-level accounts to only trusted individuals until the patch is applied
  • Implement a web application firewall (WAF) to block unauthorized REST API requests to redux/v1/templates/ endpoints
  • Use WordPress security plugins to monitor and limit REST API access based on user capabilities

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne